Cover V09, I08
Article
Listing 1
Listing 2

aug2000.tar

Automating ftp with Expiring Passwords

Russ Hill

Most networks require passwords that have a finite lifetime. By limiting the life of the password, you limit the time in which a stolen password can be exploited by an intruder. One disadvantage of expiring passwords, however, is that they make some tasks more difficult to automate. An automated process that requires a client computer to use a password will not connect if the client’s password for the server has expired.

For example, consider the case where a local Oracle database is deployed on a Web server computer. The local database requests and receives updates from a mainframe computer. The network segment connecting the Oracle computer with the mainframe is part of the corporate network and is protected by a firewall.

The Oracle computer maintains an account on the mainframe in order to request and receive updates. If the Oracle computer’s account on the mainframe periodically expires, the update request will fail until the password is manually reset. This article describes a program that automates the process of password assignment so that, even though the mainframe requires an expiring password, a user will never have to manually reset the password for the Oracle account.

netrc_check

The netrc_check script I provide here automates the use of ftp through .netrc. It uses a password generator and updates the .netrc file and changes the password on the mainframe. This script is placed in a cronjob and is usually run once about every 30-60 days, depending on your mainframe expiration policy. netrc_check (Listing 1) sends passwords in clear text and is therefore designed for use only in environments protected behind the firewall.

mpw

mpw is a C program (Listing 2). It is a password generator that is phonetic with English and works with most mainframes.

Conclusion

Mainframes are always going to be involved and there are many reasons to send files or get files from mainframes. Usually, they will require expiring passwords. The problem is that you will never use this account and it will expire. There are many times you will want to get files from a mainframe and load them into Oracle or a local database to increase the speed of the queries that are just a small subset of all the data on the mainframe. Your simple nightly update shell script to get your mainframe data will look something like this:

#!/bin/sh
<setup here>
ftp -i machinename <<!
get filename
quit
!
<move files into other formats or  \
   other commands here>
I hope you find these scripts useful.

About the Author

Russ is a UNIX consultant with nervewire.com. This is his sixth article for Sys Admin. He can be contacted at: rshill@swbell.net.
 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com